Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-03-2024 11:36
Static task
static1
Behavioral task
behavioral1
Sample
cdf6aebe5de273b6f5d54ee844b3eaa8.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
cdf6aebe5de273b6f5d54ee844b3eaa8.exe
Resource
win10v2004-20240226-en
General
-
Target
cdf6aebe5de273b6f5d54ee844b3eaa8.exe
-
Size
408KB
-
MD5
cdf6aebe5de273b6f5d54ee844b3eaa8
-
SHA1
00ec31c8deaf1e6329a317dd95e0d6587f9fe137
-
SHA256
52ce9cc373bec4f16a17d1c84bfda66b22e245c186d03022da08170f83552582
-
SHA512
4c79d9f0d64f7a27431a301d6e928ec95068277d1543c4400e7dd0f328dfb712d310803dadd6444778289ae748a0b28eb00bf2d0762cf0fa352372b5a574d4c5
-
SSDEEP
6144:C5+IFll+0ICu/5a0huFFEM6LYXxApXXOCASiwQMKlSef:K+IFlg06/opFEZsXx4H+G/Khf
Malware Config
Extracted
cybergate
v1.07.5
Cyber
dreamhacker.no-ip.biz:100
4PEY64RFP5RKV6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tmpD78.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" tmpD78.tmp.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run tmpD78.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\Svchost.exe" tmpD78.tmp.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} tmpD78.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe Restart" tmpD78.tmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{JX3R863I-B8MI-RMQ0-R5C0-O2RM10521I71}\StubPath = "C:\\Windows\\system32\\WinDir\\Svchost.exe" explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 1756 tmpD78.tmp.exe 2456 tmpD78.tmp.exe 1164 Svchost.exe -
Loads dropped DLL 3 IoCs
pid Process 1756 tmpD78.tmp.exe 2456 tmpD78.tmp.exe 2456 tmpD78.tmp.exe -
resource yara_rule behavioral1/memory/560-544-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2456-843-0x0000000010560000-0x00000000105C5000-memory.dmp upx behavioral1/memory/560-977-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/2456-1776-0x0000000010560000-0x00000000105C5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\Svchost.exe" tmpD78.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\Svchost.exe" tmpD78.tmp.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe tmpD78.tmp.exe File opened for modification C:\Windows\SysWOW64\WinDir\Svchost.exe tmpD78.tmp.exe File opened for modification C:\Windows\SysWOW64\WinDir\ tmpD78.tmp.exe File created C:\Windows\SysWOW64\WinDir\Svchost.exe tmpD78.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1756 tmpD78.tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2456 tmpD78.tmp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2232 cdf6aebe5de273b6f5d54ee844b3eaa8.exe Token: SeBackupPrivilege 560 explorer.exe Token: SeRestorePrivilege 560 explorer.exe Token: SeBackupPrivilege 2456 tmpD78.tmp.exe Token: SeRestorePrivilege 2456 tmpD78.tmp.exe Token: SeDebugPrivilege 2456 tmpD78.tmp.exe Token: SeDebugPrivilege 2456 tmpD78.tmp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1756 tmpD78.tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 1756 2232 cdf6aebe5de273b6f5d54ee844b3eaa8.exe 28 PID 2232 wrote to memory of 1756 2232 cdf6aebe5de273b6f5d54ee844b3eaa8.exe 28 PID 2232 wrote to memory of 1756 2232 cdf6aebe5de273b6f5d54ee844b3eaa8.exe 28 PID 2232 wrote to memory of 1756 2232 cdf6aebe5de273b6f5d54ee844b3eaa8.exe 28 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21 PID 1756 wrote to memory of 1336 1756 tmpD78.tmp.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"C:\Users\Admin\AppData\Local\Temp\cdf6aebe5de273b6f5d54ee844b3eaa8.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpD78.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\WinDir\Svchost.exe"C:\Windows\system32\WinDir\Svchost.exe"5⤵
- Executes dropped EXE
PID:1164
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5288df3dc4f0a2beda544817d04404b7c
SHA129dd25aa1670c5664acab20b52b18d8a3c908316
SHA256bdb1956a26d8780041f3cd374c6f3547254381295d4b4b98dfc0dff6766b04e3
SHA512edfb32fe521c05cc0a15aa1f90c9f78392422278d0ed5a0d6372ff6f6748617813613eb564204adc46a74c4466d9582d200d3e2bb3208b88d41f6fae598828d2
-
Filesize
8B
MD5d74eb82d2904d64cc4e0f9ad3db51908
SHA1c36a355a44c38729a77999be69e9b5377b091fb6
SHA256eafbc3ed7625ec5d0989535ab1e848535046066d1749a2fd6f877e54d30ac1b1
SHA5128c0b03dee906911c3817628955b67072d138391546c0add358105277740e69fd5a79381e7d0f94a64b7d5562be7ecf637ac7820492e4432990a88b634fdd2092
-
Filesize
8B
MD55df452a65a59ec43e13befeb06b3428e
SHA1cb23d6d09ccdfb3c76c672dd8a9c343d1dc9579d
SHA256d9cd0c3ec3896f7d5171ee51c706bb0daa93567c190ea80ee6cc059df53d7f23
SHA5124f670d754d71a2689757eb963aafe91a4599a5f7ba990ad65ba3f204de22e800d65f54068cba9e2cd6673acb2ce876e3a72f9a59366e82bc22ea61de1d0d95d7
-
Filesize
8B
MD56517c6a402bd64c59f7f8078aa9285ec
SHA1a6457a6ddb1dedb176df661f61ea0435b0dd994f
SHA2563350bffab58987bb57b92fa169444fb3400a67bc01d677a138788e552fb3f887
SHA5128c301abfc24d14d2ea909c27e5ae577257bef03f41e39fb7d4798b66288ef4f3281c81d17e438765cf7a26debb3519f17366957c1f1759e5c1824a9d1d013d67
-
Filesize
8B
MD53307de3b4557aab26420e6cfec874547
SHA1896b7d57be0469ff99bacb78edf1527581dfd2a9
SHA256dad50264d216f7c36b7e770460d6e918ad0ccd67c2df76888f7eabd6b054708b
SHA512309abc99907154f45146ba73778742f2f7d63bb0dc73560330848d683e67f32dd191c70af897507c9ce23bc15690fc6e47945c2f5a4d39f7d6952279ec386e2f
-
Filesize
8B
MD5ace64ca058e8e76a4b26cc846901dd51
SHA1ed7c3b6a554050067d787358b802fa279451621c
SHA256b6aa67f69bf8a78c9e9be7803878ff6a751b1ba7ce79a7145876ec58db4845e9
SHA5124f3131f35b0408c586b6273eadcb3c5df98be9828185c48881b83e54152de954bff30e3139dd1ae412e409a321459aefc90d4e9c76b626b799aa105d88d3733b
-
Filesize
8B
MD5bf449e1f35162e3cea145b56d4a8e4bf
SHA1716c1208e1ec57db9b97a586d1d6993e9df2010f
SHA2562cc04dee389f694f737fd03f4dc4f5f620d00a177dbd508a4b85a1d04fa8961a
SHA5121db44b5390ee0d9a49f6febc39bd4e2402827351e2a19ae2b6428194334c887fafff84dd51a45b32db2632628942f837e5e0e027d4c875abaf63e3b9ccd8bf7e
-
Filesize
8B
MD5a0029321b93febc10661f6392c1be251
SHA158448d6b952ad72886d4d72f9001690efb191676
SHA256c3c30533266286e7401c57b440dd7ec213f607c7075135107ad6e1a696bb2a8e
SHA5120481cff48e2c67eb07fc12b21a6956acafc57831298cba5d614d33520fe8dba352dfd6267f01e02761bc731f39ff0f3cfe89eb50b986dd7a49c51720fbad64c2
-
Filesize
8B
MD56de7a10ebf2f4fcbc344a025c1760e53
SHA164ce031d30c3c714374b8170dba6bb63cb32d22f
SHA2569a0d0a3cdeb4a8079f78335c07fd0b0d84a00f5e1147b3fc71ad5ed817af4613
SHA512e7159861f20cbafa4a8666d333d08bd1c45f41ff8f4567a3b0867b724e693a6572749e39bed3a4c5b961cf0c047863426848608907239c1ac644f2553d9c4a19
-
Filesize
8B
MD58a28cc76e068c8fe33eb6e1a6c2bfd12
SHA15c50d12e767590c03852476842f767a4209be421
SHA256658564a0ac67e7723b1b9ea73b9abdb0b618b4f2e85abb155c59897b299af215
SHA512775033d248dbb026d8ac27a13e2a8f563ea0baa28efd0255d1e17b43fb50b0894d1dcddb08a53af97f87be0667799a71307a430b15df0ecc2c5b681e41ac9faf
-
Filesize
8B
MD561ae0a5752e11b618991bc8fdd7d4d4d
SHA12d7adf2fe4ce586f6b784ab574fecd5ddf7591c6
SHA256df1e1a8c41102c701afcc0ce64f3039327c7b521363a361ef2029d8cf76e54b1
SHA51219c3e2f6b660037c3079dbadd50e195a3e0d9ea97118d116b115a77be24a3f1628d9f09e0c232bb7df7c1117238ac415a3e28c3be69905e0420d3be2422930df
-
Filesize
8B
MD5f688940d0a48f0590cbdbb3b182f34ab
SHA1e8d14523b43656ed3e150db46cf7194a989d84d0
SHA2569220c6a9fa734bd29c32062d3f90c5c1667ab61b23cb806ed7b6f30e658b7f2a
SHA512f3cfd799b84289c67c480b411c43d9e7d89d50e15ee7763f4c123334e6aa36f5b62d2db8e23d9b6b8f08f7fdbcd4bc8d853e9295efe0fc445e893a58b75203ef
-
Filesize
8B
MD5068c64c174066f97153d64b6f7b4486d
SHA1097032e794f3263d8523b04b037233506988ea00
SHA256336f4ed09abc54ee126b539423ef2513ae9420aa7cf75ac10bb6bd11ddc95b85
SHA5125d992eb65d4d29d7034952595b58fb88c0239895d0c990dbecdbe0a4de7e699b547f4a738130cce9fcd49f15729675318ea3c23a358e8d092cd6f96d05e190e9
-
Filesize
8B
MD50ed8e53b4ee0f50553400a525bb44c35
SHA1747aa05f1a32afd74d7b0de147522c50b7c298db
SHA25670b74c7c2bec38bb7d51762766f821df5884ed4165ef3ecbc613974ffa82a300
SHA51297cf04ca102b44fa922d4d7feeb80e6f3d66fa3fa9712d0d29e3ad87158813c622068ed5142da9e881b327bdfae166b86425dcfc8d58ff8922ecdb494983f0a2
-
Filesize
8B
MD5d8f3563177d270d60241baa23831c38b
SHA18e4ee0d5e675586fb143e639b3024dc76da88ea9
SHA2564c627c5a600cddd46a773db7000ec001e881cc21c46ac59d978beb257b43fdd8
SHA512ea307479ce06af32d47dbc95e1538bb4646819c4c50257a6fa84fe4eb037528ec0c7046b7578c4a6891c20a9b8a8e730e08327c5940780d679b62c30a3d55aaf
-
Filesize
8B
MD51f0af7ce9dc9c58728f7edc71c58c5d9
SHA13ec4c448e5328c468adef3568e7196b3a6d04b42
SHA256949ce0435efb7afccad9212cf0f6f5e5711980a1c1f812b3e822a8eede725f79
SHA5127eac2e6e13eab2a07fa65be3659af2243ac954fb5b64fb3e04629cc4e993f7f5143f29f47007520ad854293f72bf98d11306b7d0bbd327d22f23a5ad3ea51282
-
Filesize
8B
MD53a9677dc6164c19892cb8a5085957a0e
SHA12c5cb806fb47d4705dee1df4dc1428e58f697686
SHA256cefb049202c9db8cc62cc02bb20039d0d79afbf05df756712d5279286d8630cc
SHA5127711fffade1a72ae3e9c32ac99e31c3b6b88b145eceb905f3a1cfaf9fd344dcd821cf52cdb126451316f311f64ec7bf2d8dbe7f2e5119970f164714c007dfbaf
-
Filesize
8B
MD5ce0e0e8d6ddbdfe4167f49bd76f00bcc
SHA119b9746b0539e0f8e2f8f3d347548dc58ed3eb82
SHA256c477bb46236e1798d5d01a20c6d8da438c43688d5b1727cfeb661beeb254f72c
SHA5129fa5373f66b5f418ec2d245dd0e678b51de7e63fe14db48354ad42ecbed5cb99f59356a8705145b584fa6ef2760f0dce0cdb526567b8fbbd1b7223f872d370b0
-
Filesize
8B
MD5e6acd364066ff0de85a1e51d92ff688e
SHA14ceb0ea474f5e5f963e8c3469a4d1420a9160a5c
SHA2565d6b4087b13e19fce33e079c63c8f4ce447c12509fec120c8109d7f8fe655e1b
SHA512f82f6f661f55b822bf7791b5c29e62459e7611ca0e0abe927ed48b26ba775b7a9a49b8ce50c9a389e5fbe017c248dd2f84e1f4172d403b7a9572448bb5066746
-
Filesize
296KB
MD50548c6a94dec06ff79fa14834deca881
SHA16035d95be9214b8fb5775b141a9b1156de851d9d
SHA256433a6cc8a87a44d9ad6e789b6f9f496c2f699e2f0793314db04288ee739bd805
SHA51233cbbb976cd035aa1ff409018c239738f78704bd6cb3fa896d39c859aa77917e200c8e772589c30031c2750f7b1e22220191cb4a9aadf91ddb4a3c854c1e8f88
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314